Web Application Header Configuration Requirements Ingrid The entire header configuration (not individual errors) is analyzed for the Web Application Headers risk vector. Refer to the following configuration requirements. Requirements for GOOD grade: No misconfigured headers (required or optional) are present. Requirements for FAIR grade: No more than 50% distinct misconfigured headers can be present (required and optional) For HTTP connections, no headers are graded unless Set-Cookie is defined. The finding grade defaults to NEUTRAL.See all assessed headers or how the Web Application Headers risk vector is assessed.The Web Application Headers (WAH) risk vector was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.HTTP DowngradeThe following errors downgrade the response from HTTPS to HTTP: 200 responses 30X responses 401 responses See HTTP downgrade finding messages.HTTP 1.1 (HTTPS) Response Description 200 We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. 30x (301, 302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. HTTP 1.0 (HTTPS) Response Description 200 We validate that no hyperlinks in the HTML for the web page downgrade the user inside the site and the domain of the site. We also validate and ensure the HTML of the webpage does not import resources (such as scripts and images) from outside the site using HTTP instead of HTTPS. The finding is graded BAD if these resources are present. 30x (302, 307) Any HTTPS finding that immediately downgrades the user to an HTTP connection using a redirect is graded as BAD. October 14, 2025: WAH non-graded. August 16, 2024: Published. Related articles How is the Web Application Headers Risk Vector Assessed? Web Application Headers Risk Vector How is the Server Software Risk Vector Assessed? Web Application Header Finding Grades TLS/SSL Finding Remediation & Remediation Verification Feedback 1 comment Sort by Date Votes Mladen Prekrat March 06, 2026 12:13 Hi Ingrid,the links in the table “Header Requirements for Transfer Protocols” are currently invalid, as the referenced pages do not exist. Please update these links accordingly.Br, Mladen 0 Please sign in to leave a comment.